Embed Size (px)
Citation preview
How to get more mileage from randomness extractors
Ronen ShaltielUniversity of Haifa
Outline of this talk
Motivation for randomness extractors. Deterministic and seeded extractors. Our results. Something about the proof
Randomness extractors (motivation)
Daddy, how do
computers get random
bits?
Do we have to tell that same old
story again.
Randomness extractors (motivation)Randomness is essential in Computer
Science: Cryptography Distributed Protocols Probabilistic Algorithms
Algorithm designers always assume that we have access to a stream of independent unbiassed coin tosses.
How do computers get random bits?
Refining randomness from nature
We have access to distributions in nature:
Particle reactions Key strokes of user Timing of past events(Really used in real life)These distributions are
“somewhat random” but not “truly random”.
Solution: Randomness Extractors
random coins
Probabilistic algorithm
input
output
Somewhat random
RandomnessExtractor
Outline of this talk
Motivation for randomness extractors. Deterministic and seeded extractors. Our results. Something about the proof
Seeded
Randomness Extractors: Definition and two flavors
C is a class of distributions over n bit strings “containing” k bits of (min)-entropy.
A deterministic (seedless) C-extractor is a function E such that for every XєC, E(X) is ε-close to uniform.
A seeded C-extractor has an additional (short i.e. log n) independent random seed as input.
source distribution from C
Extractorseed
random output
Deterministic
• A distribution X has min-entropy ≥ k if ∀x: Pr[X=x] ≤ 2-k
• Two distributions are ε-close if the probability they assign to any event differs by at most ε.
Extractors turn out to have lots of applications in TCS.
A brief survey of randomness extractors
Deterministic von-Neumann sources [vN51]. Markov Chains [Blu84]. Several independent sources
[SV86,V86,V87,VV88,CG88,DEOR04,BIW04,BKSSW05,R05,R06,BRSW06].
Bit-fixing sources [CGHFRS85,KZ03,GRS04]
Samplable sources [TV00,KRVZ06].
Affine sources [BKSSW05,GR05].
Seeded C = {distributions
with (min)-entropy k} [Z91,NZ93].
Lower bound of log n on the seed length [NZ93,RT99].
Explicit constructions coming close to matching bound (mass of work).
Outline of this talk
Motivation for randomness extractors. Deterministic and seeded extractors. Our results. Something about the proof
Getting more mileage from (deterministic) extractors
before
DeterministicC-Extractor
extracts few bits
Our result: A general transformation (extending [GRS04])
DeterministicC-Extractor
extracts many bits
after
Applies to many classes C: several independent sources, samplable sources, bit-fixing sources*,
affine sources .* *Already follows from [GRS04,GR05].
2-source extractors [SV86]:
Consider the class of distributions X=(X1,X2) s.t. X1,X2 are independent distributions over n bits. X1,X2 have (min)-entropy k.
Dfn: A 2-source extractor (for threshold k) is a deterministic extractor for this class.
X1
n n
X2
2-sourceextractor
Goals:
• Achieve low entropy threshold e.g. k=o(n), major open problem (related to Ramsey graphs).
• Extract as many bits as possible (for large threshold, say k= ¾ n ). There are 2k random bits in source.
Getting more mileage from 2-source extractors
reference
# of bits extracted
comment
[CG88]1E(x1,x2)=<x1,x2>mod 2.
[Vaz87]Ω(n)
[DEOR04]
k+Ω(n)Almost all the bits from one source and some from the other.
Our result
2k-O(log(1/ε))
[RT98]<2k-2log(1/ε)Lower bound. (matched by probabilistic construction).
2-source extractors for entropy k=¾n and ε<1/n.
Optimal except for the precise constant multiplying log(1/ε)!
Proof: Transform existing construction
[Raz05] into an extractor which
extracts many bits.
¾can be replaced with any constant>
½
Outline of this talk
Motivation for randomness extractors. Deterministic and seeded extractors. Our results. Something about the proof
Getting more mileage from extractors: naïve approach
x1
x2
x3
xn
k random bits
DeterministicExtractor
random output
SeededExtractor
Seeded Extractors are only guaranteed to work when the source and seed are independent.
correlated!
Getting more mileage by reusing the output
[GRS04]: The naïve approach can work! For the restricted class of bit-fixing sources. Assuming some additional properties of the
deterministic and seeded extractors. [GR05]: Also works for affine sources. This paper: Extends the ideas of [GRS04]
General sufficient conditions for an arbitrary class of sources.
The main theorem Let C be a class of distributions. Let X be a distribution in C. Let dE be a deterministic ε-extractor for C. Let sE be a seeded extractor with seed
length t.
Assume the following closeness condition:
For every y∊{0,1}t and every value a: (X|sE(X,y)=a) is a distribution in C.
Then dE’(x)=sE(x,dE(x)) is a deterministic O(ε2t)-extractor for C.
The naïve approach works if:
• closeness condition satisfied.
• ε < 2t
Closer look at closeness condition
Previous intuition for naïve construction: dE extracts few bits and therefore (X|dE(X)=y) is a high entropy distribution. ⇒ sE can extract from (X|dE(X)=y). Problem: it could be the case that
∀y: y is a bad seed for the source (X|dE(X)=y).
Closeness Condition: For every y∊{0,1}t and every value a: (X|sE(X,y)=a) is a distribution in C.
Comment: (X|sE(X,y)=a) has lower entropy then X ⇒ In order to extract from X we must use dE which extracts from lower entropy distributions.
Intuition and proof
are different.
Outline of proof of main theorem(Simplifiying assumption ε=0)
Goal: prove that:sE(X,dE(X)) ≈ sE(X,Y)
Follows from: ∀y: (sE(X,dE(X))|dE(X)=y) ≈ (sE(X,Y)|Y=y)
(sE(X,y)|dE(X)=y) ≈ sE(X,y)
Will follow if ∀y: sE(X,y) is independent of dE(X).and this follows from closeness condition:
Closeness Condition: For every y∊{0,1}t and every value a: (X|sE(X,y)=a) is a distribution in C.
Therefore dE extracts randomness from this distribution and(dE(X)|sE(X,y)=a) ≈ Uniform
As this occurs ∀a we get that ∀y: sE(X,y) is independent of dE(X).
Use recycled
bits
Use independe
nt bits
Uniform distributi
on
Actual proof is more
technical because
ε≠0
Summary
before
DeterministicC-Extractor
extracts few bits
Our result: A general transformation (extending [GRS04])
DeterministicC-Extractor
extracts many bits
after
Applies to many classes C :
• We’ve seen: 2-independent sources.
• In paper: Distributions samplable by small circuits (defined by [TV])
Conclusions and open problems
Technique can be applied to many deterministic extraction scenarios.
Some additional work is needed to meet the closeness condition in various cases.
At the moment we don’t always have good deterministic extractors to start from (e.g. low entropy 2-source extractors, samplable sources).
Come up with new constructions of 2-source extractors and extractors for samplable distributions.
Can this technique be used to reduce the seed length of seeded extractors? We provide some counterexamples.
That’s it…
…having extracted many random bits they lived happily
ever after.
